#label:release v2.4.1
How to LGTM this PR:
Ensure you have installed the GitHub client from https://cli.github.com.
If it is not installed in your `PATH`, set `export GH=/path/to/your/gh`
Set your `export GH_TOKEN=...`
Use [verify-release.sh](./verify-release.sh) script in this repository:
```
bash verify-release v2.4.1
```
Once it completes, you will see the last line `Verifying artifact
/tmp/tmp.SomeRanDOm/` and do:
```bash
sha256sum /tmp/tmp.SomeRanDOm/* | grep -v intoto
```
This will print out the hashes. Compare them to the changes in this PR
---------
Signed-off-by: laurentsimon <laurentsimon@google.com>
How to LGTM this PR (I'll work on a proper doc for this in
https://github.com/slsa-framework/slsa-github-generator/issues/112):
1. Clone repo
```
$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ cd slsa-verifier
$ bash verify-release.sh v2.4.0 # NOTE: use the file in _this_ PR.
# Note down the path to the temporary dir use. The bash script will print its first line as "INFO: using dir: /tmp/tmp.VaYi6HfbmL"
```
2. Run command below and compare to SHA256SUM.md in this PR
```
$sha256sum /tmp/tmp.VaYi6HfbmL/*
```
The output hash should be the hash I'm updating to in this PR. If they
match, LGTM. If they don't, someone tampered with the released binary
and don't LGTM
---------
Signed-off-by: laurentsimon <laurentsimon@google.com>
* feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format
Signed-off-by: Asra Ali <asraa@google.com>
* docs: update verifier README.md for docker-based builder
Signed-off-by: Asra Ali <asraa@google.com>
---------
Signed-off-by: Asra Ali <asraa@google.com>
* docs: remove duplicated table of contents
Signed-off-by: Asra Ali <asraa@google.com>
* fix action installation list
Signed-off-by: Asra Ali <asraa@google.com>
---------
Signed-off-by: Asra Ali <asraa@google.com>
Update README.md
Adding an alternative option for installing slsa-verifier if you do not rely on additional tooling. The benefit of this option is improved readability.
Signed-off-by: Drew Roen <102626803+drewroengoogle@users.noreply.github.com>
Co-authored-by: Ian Lewis <ianlewis@google.com>
* Remove limit of number of artifacts to verify
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Update short description
Mention that we support multiple artifacts as long as they come from the
same provenance.
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Verify all artifacts passed in cmdline
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Remove header of verify step output
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Format the `cobra.Command.Use` argument
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Don't return a slice of builderIDs.
Since all images should come from the same provenance file, there's an
invariant that we will always get exactly one builderID. So, no need to
return a slice of them.
Just to preempt the case when the invariant would be broken, add a
specific check.
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Change existing tests to support multiple artifacts.
No new tests added, just changing table test data type.
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* [nfc] Format test file
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Change test to allow passing multiple artifacts.
For now, just allow passing the entire array of artifacts to command
line / arguments. The functionality should still be the same.
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Fix typo
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Fix path to test artifacts
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Allow different provenance path
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Try 2 artifacts from existing testdata
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Add more tests for multiple artifacts
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Add failing test
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Fix artifact and error
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Add final test: no artifact match
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Update README.md
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
https://github.com/slsa-framework/slsa-verifier/pull/375#discussion_r1037775148
I found this doesn't work.
To install slsa-verifier v2 by go install, we have to release v2.0.1 or later.
```
go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@v2.0.0
go: github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@v2.0.0: github.com/slsa-framework/slsa-verifier@v2.0.0: invalid version: module contains a go.mod file, so module path must match major version ("github.com/slsa-framework/slsa-verifier/v2")
```
Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com>
Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com>
